Richard Bejtlich's blog on digital security, strategic thought, and military history.

Monday, November 28, 2005

SANS Replaces Several Threat References in Top 20

Last week I posted comments about several misuses of the word "threat" in the latest SANS twenty most critical Internet security vulnerabilities. After receiving an email from Alan Paller, I returned to the SANS site and saw many of my recommended changes were made. For example, you can now "Jump To Index of Top 20 Vulnerabilities", instead of "threats." I appreciate SANS taking my suggestions to heart.

Update: It's becoming clear where the confusion regarding "threat" vs "vulnerability" originates for the SANS Top 20. One of you pointed me towards the article Mac OS X Under Scrutiny. See how many misuses of the term threat you can find. Here's a freebie:

"SANS's Dhamankar stressed that the intent was not to call the Mac OS X operating system a threat, but to give Mac users a wake up call."

2 comments:

I definitely agree with your admonishment to use information security vocabulary correctly. I constantly run into marketing at work throwing around "threat" when they shouldn't.

Now if only they would make each vulnerability actually correspond to a single vulnerability (or at least a handful).

For example, they list "N1. Cisco IOS and non-IOS Products" -- isn't that ALL Cisco products. For this one I do concede that they go on to only list a handful of CVE names as examples, but surely they can come up with a better title.

This is more like a bunch of vulnerabilities put into 20 categories. "C10. Other Cross-platform Applications" is much worse. With a title like that, it should logically cover thousands of vulnerabilities.